Chevron icon It indicates an expandable section or menu, or sometimes previous / next navigation options. HOMEPAGE

The 'internet of things' is a security nightmare, but Google and others have a plan to fix it

In October, a massive denial-of-service cyberattack on internet infrastructure Dyn knocked huge swathes of the web offline for millions of Americans and Europeans, from Netflix to Twitter. It was the largest attack of its kind in history — and it was powered by an army of hacked webcams and smart devices with shoddy or non-existent security.

Advertisement

In short: The "internet of things" is a nightmare — a fundamental threat to the security and safety of the web.

broken computers old man telephones
"Get your premium internet-connected toasters here!" Kamyar Adl/Flickr (CC)

But Google and other tech giants now have a plan to fix it.

On Tuesday, the Broadband Technical Advisory Group (BITAG) published a report on the security and privacy of the IoT, — including recommendations on how to improve it. If you haven't heard of BITAG, its a tech industry body formed back in 2010, which includes Google, Cisco, AT&T, T-Mobile, Comcast, Mozilla, and others. (We first saw its report on Engadget.)

While IoT device hijacking for use in DoS attacks is disturbing, it's not the only way the tech is being abused."Several recent incidents have demonstrated that some devices do not abide by rudimentary privacy and security best practices," BITAG's report says.

Advertisement

"In some cases, devices have been compromised and allowed unauthorized users to perform Distributed Denial of Service (DDoS) attacks, perform surveillance and monitoring, gain unauthorized access or control, induce device or system failures, and disturb or harass authorized users or device owners."

Problems with devices range from leaking Wi-Fi passwords to not being update-able, from having hardcoded default passwords to outdated and vulnerable firmware.

So that fancy internet-connected kettle you just bought might be spying on you, or leaking your home Wi-Fi password, or attacking computer networks thousands of miles away. Not ideal.

To try and solve this, BITAG has laid out a number of recommendations that it wants IoT manufacturers to abide by. Some of these are pretty basic (pointing to the scale of the problem), including shipping devices with "reasonably" current software without known vulnerabilities, and that manufacturers should follow best practices for encryption.

Advertisement

The group also wants to ensure that devices continue to work even without cloud or internet support, that privacy policies should be easily understandable, that there should be clear mechanisms for reporting bugs and vulnerabilities, and that devices should be resettable. (You can read BITAG's full report below.)

BITAG's not a regulatory body, so it doesn't have any power to force manufacturers to make changes. But there's a growing chorus of voices calling for government action, and it may add extra weight to these efforts.

"I'm really divided on what I think about regulation, but if it's needed somewhere, this might be it," F-Secure chief research officer Mikko Hypponen said in October. "We're regulating things on appliances anyway. They should not be able to give you an electric shock, they should not catch fire, they should not leak your Wi-Fi password either — I think that would be a good thing."

However, many of the hijacked devices used in recent attacks were made by a Chinese electronics company — raising the possibility that even if American manufacturers upped their game, some overseas companies looking to cut costs might not bother.

Advertisement

But this discussion is nonetheless long overdue, and may also help to raise awareness of the issues among consumers. Because right now, any attempt to change the status quo is very welcome.

Here's the full announcement and report from BITAG:

On February 28, Axel Springer, Business Insider's parent company, joined 31 other media groups and filed a $2.3 billion suit against Google in Dutch court, alleging losses suffered due to the company's advertising practices.

Internet of Things Security Google
Advertisement
Close icon Two crossed lines that form an 'X'. It indicates a way to close an interaction, or dismiss a notification.

Jump to

  1. Main content
  2. Search
  3. Account